JAIC-edits to development branch

c3bbdf6c · Casey Spicer · Al Fontaine · 37db64f6 · c3bbdf6c · c3bbdf6c
Commit c3bbdf6c authored May 25, 2021 by Casey Spicer Committed by Al Fontaine May 25, 2021
Showing with 302 additions and 2 deletions

.gitattributes .gitattributes +2 -0

.gitignore .gitignore +9 -0

Dockerfile Dockerfile +99 -0

LICENSE LICENSE +33 -0

README.md README.md +8 -2

hardening_manifest.yaml hardening_manifest.yaml +151 -0

No files found.
--- a/.gitattributes
+++ b/.gitattributes
+# Auto detect text files and perform LF normalization
+* text=auto
--- a/.gitignore
+++ b/.gitignore
+*.whl
+*.rpm
+*.tar.gz
+*.ps1
+packages.txt
+repo/**
+test_commands.txt
+anchore-reports/**
+report.txt
--- a/Dockerfile
+++ b/Dockerfile
+ARG STAGE_REGISTRY=registry1.dso.mil
+ARG STAGE_IMAGE=ironbank/carnegie-mellon/python-ai/python38-ai
+ARG STAGE_TAG=3.8
+ARG BASE_REGISTRY=registry1.dso.mil
+ARG BASE_IMAGE=ironbank/opensource/jupyter/jupyterlab
+ARG BASE_TAG=3.0.14
+FROM ${STAGE_REGISTRY}/${STAGE_IMAGE}:${STAGE_TAG} AS multi-stage
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+COPY --from=multi-stage /opt/python /opt/python
+# Makes the python packages accessable
+ENV PATH="/opt/python/venv/bin:$PATH"
+USER root
+RUN yum upgrade -y        \
+    && yum clean all -y   \
+    && yum install -y     \
+        vim               \
+        zip               \
+        unzip             \
+        wget              \
+        net-tools         \
+        # gcc is needed for prophet
+        gcc-c++           \
+        git
+# Needed to use packges from multi-stage build in Jupyterlab
+RUN mkdir /tmp/repo
+COPY *.whl /tmp/repo
+RUN python3.8 -m pip install --no-index --find-links /tmp/repo    \
+        ipykernel                                                           \
+    && rm -rf /tmp/repo
+#########################
+# Compliance Mitigation #
+#########################
+# Removing unneeded vulnerable binaries
+RUN yum remove -y    \
+    binutils         \
+        # Medium - CVE-2021-20197, CVE-2021-20294, CVE-2021-3487
+    glibc-devel      \
+        # High   - CVE-2019-25013
+        # Medium - CVE-2021-3326
+        # Low    - CVE-2020-27618, CVE-2021-27645
+    glibc-headers    \
+        # High    - CVE-2019-25013
+        # Medium - CVE-2021-3326
+        # Low    - CVE-2020-27618, CVE-2021-27645
+    #glibc-langpack-en \
+    kernel-headers
+        # High   - CVE-2020-12362, CVE-2020-36313
+        # Medium - CVE-2019-20794, CVE-2020-0404, CVE-2020-0427, CVE-2020-0431, CVE-2020-10741, CVE-2020-12114, CVE-2020-12363, CVE-2020-12364, CVE-2020-13844, CVE-2020-14314, CVE-2020-14356, CVE-2020-14416, CVE-2020-15437, CVE-2020-15802, CVE-2020-24394, CVE-2020-24502, CVE-2020-24503, CVE-2020-24504, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25643, CVE-2020-25645, CVE-2020-25704, CVE-2020-26541, CVE-2020-27170, CVE-2020-27171, CVE-2020-27777, CVE-2020-27786, CVE-2020-27835, CVE-2020-28915, CVE-2020-28974, CVE-2020-29660, CVE-2020-35508, CVE-2020-36158, CVE-2020-4788, CVE-2020-8694, CVE-2021-0342, CVE-2021-20194, CVE-2021-20268, CVE-2021-28950, CVE-2021-28971, CVE-2021-28972, CVE-2021-29154, CVE-2021-29650, CVE-2021-3178, CVE-2021-3348, CVE-2021-3411, CVE-2021-3428, CVE-2021-3444
+        # Low    - CVE-2019-20095, CVE-2020-11608, CVE-2020-14390, CVE-2020-35501, CVE-2021-20239
+# Removing identified secret and SUID files
+RUN rm -rf /usr/share/doc/perl-IO-Socket-SSL/certs/                   \
+    && rm -rf /usr/share/doc/perl-IO-Socket-SSL/example/              \
+    && rm -rf /usr/share/doc/perl-IO-Socket-SSL/example/              \
+    && rm -rf /usr/share/doc/perl-Net-SSLeay/examples/server_key.pem  \
+    && chmod g-s /usr/libexec/openssh/ssh-keysign
+USER jovyan
+# Needed to use packges from multi-stage build in Jupyterlab
+# A new kernel is displayed and available for use within JupyterLab
+RUN python3.8 -m ipykernel install --name='AI_Packages' --user
+WORKDIR $HOME
+EXPOSE 8888
+HEALTHCHECK CMD pgrep "jupyter" > /dev/null || exit 1
+#################
+# Test Commands #
+#################
+# import sqlite3
+# import plotly
+# import pandas
+# import matplot
+# import seaborn
+# import numba
+# import numpy
+# import scipy
+# import sklearn
+# import tqdm
+# import urllib3
+# import requests
+# from bs4 import BeautifulSoup
+# from wordcloud import WordCloud
+# import statsmodels
+# import prophet
+# import django
+# import flask
--- a/LICENSE
+++ b/LICENSE
+Copyright (c) 2015 Project Jupyter Contributors
+All rights reserved.
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+Semver File License
+===================
+The semver.py file is from https://github.com/podhmo/python-semver
+which is licensed under the "MIT" license.  See the semver.py file for details.
--- a/README.md
+++ b/README.md
-# <application name>
+# <application Jupyterlab>
-Project template for all Iron Bank container repositories.
+## Description
\ No newline at end of file
+A minimal jupyterlab notebook container implementing the jupyterlab interface (with left-navigation tabs etc.), Python3.8 (Iron Bank python36 base image) and pip version 21.0.1.
+This image is also inherits all the AI/ML packages from the python38-ai image.
+This image is an UBI 8 refactor of the opensource Dockerfile here: https://github.com/jupyter/docker-stacks/tree/master/base-notebook.
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
+---
+apiVersion: v1
+# The repository name in registry1, excluding /ironbank/
+name: "aiml/jupyter/jlab-eda"
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dsop.io
+tags:
+- "3.8"
+- "latest"
+# Build args passed to Dockerfile ARGs
+args:
+  STAGE_IMAGE: "ironbank/carnegie-mellon/python-ai/python38-ai"
+  STAGE_TAG: "3.8"
+  BASE_IMAGE: "opensource/jupyter/jupyterlab"
+  BASE_TAG: "3.0.14"
+# Docker image labels
+labels:
+  org.opencontainers.image.title: "JupyterLab - Exploratory Data Analysis"
+  org.opencontainers.image.description: "JupyterLab with AI/ML EDA related packages installed"
+  org.opencontainers.image.licenses: "MIT License (MIT)"
+  org.opencontainers.image.url: " "
+  org.opencontainers.image.vendor: "jupyterlab"
+  org.opencontainers.image.version: "3.0.14"
+  mil.dso.ironbank.image.keywords: "jupyter,notebook,terminal,text editor,datascience,ui,data,science,sqlite3,plotly,pandas,matplot,seaborn,numba,numpy,scipy,sklearn,tqdm,urllib3,requests,BeautifulSoup,WordCloud,statsmodels,prophet,django,flask"
+  mil.dso.ironbank.image.type: "opensource"
+  mil.dso.ironbank.product.name: "jlab-eda"
+# List of resources to make available to the offline build context
+resources:
+- filename: Pygments-2.8.1-py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/3a/80/a52c0a7c5939737c6dca75a831e89658ecb6f590fb7752ac777d221937b9/Pygments-2.8.1-py3-none-any.whl
+  validation:
+    type: sha256
+    value: 534ef71d539ae97d4c3a4cf7d6f110f214b0e687e92f9cb9d2a3b0d3101289c8
+- filename: backcall-0.2.0-py2.py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/4c/1c/ff6546b6c12603d8dd1070aa3c3d273ad4c07f5771689a7b69a550e8c951/backcall-0.2.0-py2.py3-none-any.whl
+  validation:
+    type: sha256
+    value: fbbce6a29f263178a1f7915c1940bde0ec2b2a967566fe1c65c1dfb7422bd255
+- filename: decorator-5.0.7-py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/bc/b4/c208a551033a7abb67703be73dea3d917dbce528bd87bcd6f7dfceec7097/decorator-5.0.7-py3-none-any.whl
+  validation:
+    type: sha256
+    value: 945d84890bb20cc4a2f4a31fc4311c0c473af65ea318617f13a7257c9a58bc98
+- filename: ipykernel-5.5.3-py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/3a/7d/9f8ac1b1b76f2f1538b5650f0b5636bae082724b1e06939a3a9d38e1380e/ipykernel-5.5.3-py3-none-any.whl
+  validation:
+    type: sha256
+    value: 21abd584543759e49010975a4621603b3cf871b1039cb3879a14094717692614
+- filename: ipython-7.22.0-py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/c9/b1/82cbe2b856386f44f37fdae54d9b425813bd86fe33385c9d658d64826098/ipython-7.22.0-py3-none-any.whl
+  validation:
+    type: sha256
+    value: c0ce02dfaa5f854809ab7413c601c4543846d9da81010258ecdab299b542d199
+- filename: ipython_genutils-0.2.0-py2.py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/fa/bc/9bd3b5c2b4774d5f33b2d544f1460be9df7df2fe42f352135381c347c69a/ipython_genutils-0.2.0-py2.py3-none-any.whl
+  validation:
+    type: sha256
+    value: 72dd37233799e619666c9f639a9da83c34013a73e8bbc79a7a6348d93c61fab8
+- filename: jedi-0.18.0-py2.py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/f9/36/7aa67ae2663025b49e8426ead0bad983fee1b73f472536e9790655da0277/jedi-0.18.0-py2.py3-none-any.whl
+  validation:
+    type: sha256
+    value: 18456d83f65f400ab0c2d3319e48520420ef43b23a086fdc05dff34132f0fb93
+- filename: jupyter_client-6.1.12-py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/77/e8/c3cf72a32a697256608d5fa96360c431adec6e1c6709ba7f13f99ff5ee04/jupyter_client-6.1.12-py3-none-any.whl
+  validation:
+    type: sha256
+    value: e053a2c44b6fa597feebe2b3ecb5eea3e03d1d91cc94351a52931ee1426aecfc
+- filename: jupyter_core-4.7.1-py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/53/40/5af36bffa0af3ac71d3a6fc6709de10e4f6ff7c01745b8bc4715372189c9/jupyter_core-4.7.1-py3-none-any.whl
+  validation:
+    type: sha256
+    value: 8c6c0cac5c1b563622ad49321d5ec47017bd18b94facb381c6973a0486395f8e
+- filename: parso-0.8.2-py2.py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/a9/c4/d5476373088c120ffed82f34c74b266ccae31a68d665b837354d4d8dc8be/parso-0.8.2-py2.py3-none-any.whl
+  validation:
+    type: sha256
+    value: a8c4922db71e4fdb90e0d0bc6e50f9b273d3397925e5e60a717e719201778d22
+- filename: pexpect-4.8.0-py2.py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/39/7b/88dbb785881c28a102619d46423cb853b46dbccc70d3ac362d99773a78ce/pexpect-4.8.0-py2.py3-none-any.whl
+  validation:
+    type: sha256
+    value: 0b48a55dcb3c05f3329815901ea4fc1537514d6ba867a152b581d69ae3710937
+- filename: pickleshare-0.7.5-py2.py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/9a/41/220f49aaea88bc6fa6cba8d05ecf24676326156c23b991e80b3f2fc24c77/pickleshare-0.7.5-py2.py3-none-any.whl
+  validation:
+    type: sha256
+    value: 9649af414d74d4df115d5d718f82acb59c9d418196b7b4290ed47a12ce62df56
+- filename: prompt_toolkit-3.0.18-py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/eb/e6/4b4ca4fa94462d4560ba2f4e62e62108ab07be2e16a92e594e43b12d3300/prompt_toolkit-3.0.18-py3-none-any.whl
+  validation:
+    type: sha256
+    value: bf00f22079f5fadc949f42ae8ff7f05702826a97059ffcc6281036ad40ac6f04
+- filename: ptyprocess-0.7.0-py2.py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/22/a6/858897256d0deac81a172289110f31629fc4cee19b6f01283303e18c8db3/ptyprocess-0.7.0-py2.py3-none-any.whl
+  validation:
+    type: sha256
+    value: 4b41f3967fce3af57cc7e94b888626c18bf37a083e3651ca8feeb66d492fef35
+- filename: python_dateutil-2.8.1-py2.py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/d4/70/d60450c3dd48ef87586924207ae8907090de0b306af2bce5d134d78615cb/python_dateutil-2.8.1-py2.py3-none-any.whl
+  validation:
+    type: sha256
+    value: 75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a
+- filename: pyzmq-22.0.3-cp38-cp38-manylinux2010_x86_64.whl
+  url: https://files.pythonhosted.org/packages/98/f0/848d7850eb8a65f3534c1f4d0e0ba8ba8de2d32a02fa9df1d41a08cc667f/pyzmq-22.0.3-cp38-cp38-manylinux2010_x86_64.whl
+  validation:
+    type: sha256
+    value: 9221783dacb419604d5345d0e097bddef4459a9a95322de6c306bf1d9896559f
+- filename: setuptools-56.0.0-py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/ae/42/2876a3a136f8bfa9bd703518441c8db78ff1eeaddf174baa85c083c1fd15/setuptools-56.0.0-py3-none-any.whl
+  validation:
+    type: sha256
+    value: 7430499900e443375ba9449a9cc5d78506b801e929fef4a186496012f93683b5
+- filename: six-1.15.0-py2.py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/ee/ff/48bde5c0f013094d729fe4b0316ba2a24774b3ff1c52d924a8a4cb04078a/six-1.15.0-py2.py3-none-any.whl
+  validation:
+    type: sha256
+    value: 8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced
+- filename: tornado-6.1-cp38-cp38-manylinux2010_x86_64.whl
+  url: https://files.pythonhosted.org/packages/7a/4a/4fafa6f032f9e202ce5bc1becacef5588a34fd0f0539fdcc705fa2b5ca4a/tornado-6.1-cp38-cp38-manylinux2010_x86_64.whl
+  validation:
+    type: sha256
+    value: d14d30e7f46a0476efb0deb5b61343b1526f73ebb5ed84f23dc794bdb88f9d9f
+- filename: traitlets-5.0.5-py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/f6/7d/3ecb0ebd0ce8dcdfa7bd47ab85c1d4a521e6770ef283d0824f5804994dfe/traitlets-5.0.5-py3-none-any.whl
+  validation:
+    type: sha256
+    value: 69ff3f9d5351f31a7ad80443c2674b7099df13cc41fc5fa6e2f6d3b0330b0426
+- filename: wcwidth-0.2.5-py2.py3-none-any.whl
+  url: https://files.pythonhosted.org/packages/59/7c/e39aca596badaf1b78e8f547c807b04dae603a433d3e7a7e04d67f2ef3e5/wcwidth-0.2.5-py2.py3-none-any.whl
+  validation:
+    type: sha256
+    value: beb4802a9cebb9144e99086eff703a642a13d6a0052920003a230f3294bbe784
+# List of project maintainers
+maintainers:
+- email: "daniel.komnick@gmail.com"
+  name: "Daniel Komnick"
+  username: "dkomnick"
+  cht_member: false
+- email: "remccarthy@sei.cmu.edu"
+  name: "Rob McCarthy"
+  username: "remccarthy"
+  cht_member: false